Endless Exploit Attempts Underline Importance of Timely Java Patching

The appearance of a new exploit has helped turn the spotlight this week on a common target of attackers – Java software.

The exploit targets CVE-2011-3544, and has been observed being sold in the cyber-underground as part of the BlackHole crimeware kit. The vulnerability was patched by Oracle in October, but apparently has generated enough interest for the hacker responsible for maintaining and selling BlackHole to offer $4,000 – minus the cost of a license for the kit.

In a blog post, Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, wrote that Java’s ubiquity has been the key reason it has become an attractive target for attackers.

“As reported in the latest volume of the Microsoft Security Intelligence Report (volume 11), the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK),” he wrote. “During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits. During this one year period, Microsoft (anti-malware) technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.”

Adding to their efficacy is the fact that organizations often take their time when it comes to patching. Though users could download Java patches directly from Oracle, most enterprises rely on the operating system vendors to provide the patches, explained Jonathan Cran, QA Director of the Metasploit Project at Rapid7. As a result, organizations patch Java sporadically, even though the patches themselves were available directly soon after the release of the vulnerability, he said.

Oracle is patching the vulnerabilities, but they must then be distributed to the systems running the vulnerable software, he said.

“This distribution process isn't always timely - case in point: Ubuntu Linux, which is still waiting for the update - and is handled differently across the different OSs (operating systems),” Cran said.

“What I'm really getting at is that each OS has made decisions about how to handle the updates for third-party software on their systems, for better or worse,” he continued. “Microsoft has pushed this process to the individual software manufacturer…(and) Apple and Canonical have rolled this functionality into their own Update / QA process. Moving it into the OS update process introduces lag, but also increases reliability that the patch will be eventually installed, especially by enterprise users. For now, Apple has been able to get the update out and appears to be a good model to follow, while Ubuntu users are still waiting. Microsoft Windows users will sporadically receive it over the next month, as the tray icon does its work.”

“This is analogous to the problems we're seeing on the Android platform, where the OS manufacturer (Google) is creating and shipping updates, but it takes some time for these to be applied to the phones, if they're ever made available by the phone manufacturer,” Cran added.

Despite the challenges, Symantec Security Intelligence Manager Joshua Talbot said people shouldn’t be too quick to jump from Java.

“Individuals and organizations have to weigh their needs against the risk they face from a potential compromise,” he said. “Administrators and users should also remember that there are often many mitigating options available, such as only allowing Java from trusted sites and temporarily disabling Java until patches are available.”